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(54) Access control systenn and method 

(57) When a iserver receives a service request from 
a client, identifiers of a terminal and of a user are ac- 
quired fronn the service request and authority with re- 



spect to the service request is uniquely decided from the 
terminal and user identifiers acquired. It is then deter- 
mined, using the authority decided, whether or rK>t to 
accept the service request. 



FIG. 2 



START 
(PROCESSING OF 
SERVICE REQUEST) 



3201-^ 


ACQUIRE TERMIMAL IDENTIFIER 
FROM SERVICE REQUEST 








S202~ 


ACQUIRE USER IDENTIFIER 
FROM SERVICE REQUEST 








8203-- 


DECIDE CORRESPONDING AUTHORITY 
OF SERVER TERMINAL 



S204 



IS 



AUTHORITY WITH REGARD^ 
TO SERVICE REQUEST 
VALID ? 

pYES 



S205' 



END 



1 



Prnledby Jouve. 7S001 fVkniS (FR) 



BNSOOCtO; <EP 061 3327 A2_l_> 



1 



EP 0 813 327 A2 



2 



Description 

This invention relates to an access control system 
and method, particular access control of a distributed 
system in which the resources of remote sites are 
shared using a computer network, by way ot example 

Access control in a distributed system generally is 
achieved by combining an authentication mechanism in 
the distributed system with a resource protection mech- 
anism at each site. For example, a distributed file sys- 
tem, which is a means of sharing files via a network, is 
used in a comparatively small-scale network environ- 
ment such as a local area network (LAN). In such case 
user authentication means at the site level is appropri- 
ated in the network environment as well by unifying 
modes o1 user management, and resource protection is 
achieved based upon the authority granted to authenti- 
cated users. The file access control means for imple- 
menting this generally is provided by the operating sys- 
tem (OS). 

In a comparatively large-scale network such as a 
wide-area network (WAN), on the other hand, use is 
made of authentication by an authentication system be- 
cause unifying nrxxies of user nr^nagement is difficult. 
In a large-scale network environment, opportunities to 
share resources per se are fewer than in a small-scale 
network. However, in terms of providing the mechanism 
eventually used as the resource protection mechanism, 
the situation is the same as in the case of the small-scale 
network environment. 

However, the following problems arise in the art de- 
scribed above; 

The first problem is that satisfactory reliability can- 
not be assured merely by applying the site-level user 
authentication mechanism to a distributed system. Even 
if modes of user management are unified between sites, 
no legal force is involved and a certain site is capable 
of individually altering some of the management infor- 
mation. In cases such as these, it is possible for a site 
administrator to impersonate a user and it is difficult for 
the resource provider to detect this. 

The second problem is that in a scenario in which 
the resource protection mechanism provided by the op- 
erating system (OS) is applied to distributed resources, 
ordinarily this is effective only at the site at which the 
resource protection mechanism is operating. Conse- 
quently, if there is an externally applied request for op- 
eration of a resource, the request must be dealt with 
based upon the rightful authority given to the site. How- 
ever, as long as users once authenticated possess the 
same authority, it is not possible to cope with a situation 
in which reliability or level of authorization differ depend- 
ing upon the site, even for the same user. 

Accordingly, an object of the present invention is to 
provide an access control system and method in which, 
when shared resources in a distributed system are ac- 
cessed, the shared resources can be protected safely 
and flexibly. 



According to one aspect o1 the present invention, 
the foregoing object is attained by providing an access 
control system for controlling access to a distributed 
system in which resources of remote sites are shared 

5 using a computer network, comprising acquisition 
means for acquiring an identifier of a terminal which re- 
quests a service and an identifier of a user, decision 
means for uniquely deciding authority over the service 
request based upon the terminal identifier and user 

TO identifier that have been acquired, and judging means 
for judging, using the authority that has been decided, 
whether or not to accept the service request. 

In another aspect of the invention, the foregoing ob- 
ject is attained by providing an access control system 

IS for controlling access to a distributed system in which 
resources of remote sites are shared using a computer 
network, comprising relay means for acquinng an iden- 
tifier of a user requesting a service, intercepting the 
service request by transmitting, to a prescribed address, 

20 a service request message onto which the acquired user 
identifier has been added, and distributing a received 
message, and service providing means for acquiring as 
a user identifier an identifier added onto the received 
service request message, acquiring as a terminal iden- 

25 tifier an identifier of the relay means that transmitted this 
service request message, uniquely deciding authority 
over the service request based upon the terminal iden- 
tifier and user identifier that have been acquired, and 
judging, using the authority that has been decided. 

30 whether or not to accept the sen/ice request. 

According to the present invention, the foregoing 
object IS attained by providing an access control method 
for controlling access to a distributed system in which 
resources of remote sites are shared using a computer 

3S network, comprising an acquisition step of acquiring an 
identifier of a terminal which requests a service and an 
identifier of a user, a decision step of uniquely deciding 
authority over the service request based upon the ter- 
minal identifier and user identifier that have been ac- 

40 quired, and a judging step of judging, using the authority 
that has been decided, whether or not to accept the 
service request. 

In another aspect of the invention, the foregoing ob- 
ject is attained by providing an access control method 

-ts tor controlling access to a distnbuied system in which 
resources of remote sites are shared using a computer 
network, comprising, in relay means for intercepting a 
service request and distributing a received message, a 
first acquisition step o1 acquiring an identifier of a user 

so requesting a service and a transmission step of trans- 
mitting, to service providing means, a service request 
message to which the acquired user identifier has been 
added on, and, in the service providing means, a receiv- 
ing step of receiving a sen/ice request message, a sec- 
ss ond acquisition step of acquiring as a user identifier the 
identifier added onto the received service request mes- 
sage, and acquiring as a terminal identifier an identifier 
of the relay means that transmitted this service request 
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message, a decision step of uniquely deciding authority 
over the service request based upon the terminal iden- 
tifier and user identifier that have been acquired, and a 
judging step of judging, using the authority that has been 
decided, whether or not to accept the service request. 

In accordance with the present invention having the 
configuration described above, it is possible to provide 
an access control system and method in which, when 
shared resources in a distributed system are accessed, 
the shared resources can be protected safely and flex- 
ibly 

Embodiments of the present invention will now be 
described with reference to the accompanying draw- 
in;)s in which; 

hig 1 IS a diagram illustrating an example of the 
configuration of a network environment according 
to an embodiment of the present Invention; 
Fig 2 is a flowchart showing an example of a pro- 
cedure through which a server processes a service 
icquost from a client; 

Fig 3 is a flowchart showing an example of a pro- 
cedure through which a server processes a connec- 
I on request from a client; 

Fiq 4 is a flowchart showing an example of a pro- 
cod jro through which a relay server processes a 
service request from a client; 
Fiq 5 IS a flowchart showing an example of a pro- 
rod \in through which a relay server processes a 
f rxvioction request from a client; 
F iq 6 IS a diagram showing a first example of a stor- 
nuc medium storing program codes according to 
i-to present invention; and 
f 7 IS a diagram showing a second example of a 
ifor-iqc medium storing program codes according 
to ittc present invention. 

An rtccess control system according to embodi- 
inoni'o o' the present invention will be described in detail 
witti iclcicnce to the drawings. 

The embodiments described below relate to a dis- 
tiouied system having a plurality ol users, particularly 
ri disinbuicd system in which the authorities of individual 
users me managed uniformly even in a distributed en- 
viron-noni in which the modes of user management dil- 
Icr Ifom one site to another. 

|Fiibi Ei ibodimenl] 

Fig 1 ts a diagram illustrating an example of the 
conliqurrition of a network environment according to an 
embodiment of the present invention. 

Ao chown in Fig. 1 , a group of terminals, described 
iHior arc connected to a network terminal 101 to con- 
strue! H computer network. The computer network de- 
scribed nere includes an Ethernet, a LAN using an FD- 
Dl a WAN constructed by interconnecting networks by 
a public telephone line or leased line. etc. 



4 

A server terminal 102 is a computer system such 
as a work station or personal computer run by an appli- 
cation provided in a distributed system. Client terminals 
103, 105. 106 are computer systems, which are similar 

s to the server terminal 102, run by applications utilizing 
resources in the distributed system. An authentication 
server terminal 104 is a computer system, which is sim- 
ilar to the sender terminal 102, run by an authentication 
server which provides an authentication mechanism in 

10 the network environment. The authentication sen/er ter- 
minal 104 is provided by a Kerberos system, by way of 
example. 

These computer systems are assigned their own 
identifiers, which are acquired by communication be- 

is tween any of the terminals. Further, the above-men- 
tioned server application, client applications and au- 
thentication server are items of software stored on an 
external storage medium such as a floppy disk, a hard 
disk, a magneto-optic drive (MO), a CD-ROM. a CD-R 

20 or a magnetic tape, or in any non-volatile semiconductor 
memory device such as a ROM or flash memory. When 
necessary the particular software is read in the memory 
possessed by the terminal and is then executed by a 
CPU with which the same terminal is provided. 11 is un- 

25 necessary to assign a dedicated terminal to the appli- 
cation software executed, and servers, clients, etc. may 
operate a certain terminal simultaneously. Further, the 
term "server' or "client" is a generic term that relates to 
the role of the application concerning a prescribed serv- 

30 ice and does not necessarily have a fixed meaning in 
terms of an application In actuality, a certain application 
may be a server with regard to a certain service or a 
client with regard to a different service. 

Fig. 2 is a flowchart showing an example of a pro- 

35 cedure through which a server processes a request from 
a client. The flowchart has a first step S201 , at which a 
terminal identifier is acquired from a service request 
sent from a client. The user identifier is then acquired 
from the service request at step S202. Here the process- 

40 tng for acquiring the user identifier employs authentica- 
tion means supplied by the authentication server. How- 
ever, an arrangement may be adopted in which the iden- 
tifier is acquired using means supplied In dependence 
upon the network environment, e.g identity inquiry 

45 means in conformity with RFC1413 in the TCP/IP 
(Transmission Control/Internet Protocol) network envi- 
ronment. 

Next, at step S203, the corresponding authority of 
the sen/er terminal is decided based upon the terminal 

so identifier and user identifier acquired. If the requested 
service is to gain access to resources (e.g. files, devic- 
es, etc.) protected by the OS: the authority of the server 
terminal is an authority defined by the OS. If the request- 
ed service is a resource (e.g. shared data in a database 

55 management system) protected by the server, then the 
authority of the server terminal is an authority defined 
independently by the server. 

This is followed by step S204. at which it is deter- 
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mined whether the authority regarding the sen/ice re- 
quest is valid (whether the sen/lce request is within the 
limits of authority). If the authority is valid, then the serv- 
ice request is processed at step S205. Of course, if the 
authority regarding the sen^ice request is invalid (the 5 
service request is outside the limits of authority), then 
the service request is not processed. 

The details of processing at steps S203 and S204 
will now be described. 

If a subset o1 a quotient lattice decided by a certain io 
equivalence relation is taken in a direcl_product lattice 
of a set lattice corresponding to respective ones of the 
terminal identifiers and user identifiers, an ordered rela- 
tion in the quotient lattice will hold in this subset. A set 
M comprising all maximal elements is decided in relation '5 
to the ordered relation. On the other hand, take an ele- 
ment r ot quotient lattices corresponding to the terminal 
identifier and user identifier obtained at steps S201 and 
S202. When there is one for which m^r holds, where m 
is the element of M, the authority with regard lo the re- 20 
quest is taken as being valid. 

In other words, it is assumed that the above-men- 
tioned equivalence relation, the set of maximal elements 
and a unique corresponding relationship from the max- 
imal elements to the authority of the server terminal 25 
have been obtained in advance with regard to each 
service. Then, at step S203, a equivalence class with 
regard to the terminal identifier and user identifier is de- 
cided. It is then determined at step S204 whether there 
is an ordered relation between this equivalence class 30 
and a series of maximal elements. 

Since all sets in the foregoing are equivalence sets, 
they are expressed by well-known means, such as a bit 
string. The equivalence relation, on the other hand, is 
means for converting the bit string to another, shorter bit 3S 
string in accordance with rules given by declaration or 
procedurally. 

Abnomnalities due to a variety of faults can occur at 
steps S201 and S202. In such case the element ol the 
quotient lattice corresponding to the least upper bound -to 
of the direct product lattice relating to the terminal iden- 
tifier is substituted as the equivalence class at step S203 
in response to an abnormality at step S201 . The element 
of the quotient lattice corresponding to the least upper 
bound of the direct product lanice relating to the user ^5 
identifier is substituted In response to an abnormality at 
step S202. The least upper bound of the quotient lattice 
is substituted in response lo abnormalities at both steps 
S201 and S202. 

By way of example, in a case where a service pro- 50 
vided to a user group composed of prescribed users is 
restricted at a terminal connected to a prescribed net- 
work: the following is given as an equivalence relation: 
"whether or not the terminal is included in a sublattice 
of a direct product lattice decided by a set of identifiers ss 
of terminals connected to a specified network and a set 
of identifiers of users belonging to a specified user 
group". In other words, the pair "whether or not the ter- 



minal is connected to a specified network* and "whether 
or not the terminal belongs to a specified user group" is 
given as the equivalence relation. 

As a result, the set of terminal identifiers and the set 
of user identifiers are each split into two sublattices that 
do not overlap each other, whereupon there is obtained 
a quotient lattice of a direct product set comprising 16 
elements. This quotient lattice clearly is isomorphic lo 
the direct product lattice of the quotient lattice relating 
to respective ones of the terminal identifier and user 
identifier. Accordingly, only one equivalence class cor- 
responding to all pairs of terminal identifiers and user 
identifiers which will accept a service request is decided 
in the above-mentioned quotient lattice. This equiva- 
lence class is made to correspond to the authority over 
a service by deciding a set of maximal elements in which 
this equivalence class is adopted as one element. By 
virtue of the foregoing operation, the equivalence rela- 
tion and the set of maximal elements regarding a serv- 
ice, as well as the corresponding relationship lo the au- 
thority, are specified. In this setting, the pair of terminal 
identifiers and user identifiers obtained from the service 
request of the client corresponds to some equivalence 
class of the quotient lattice. However, acceptance of the 
request is limited to a case corresponding lo an equiv- 
alence class employed as a maxima) element. 

More specifically, in accordance with this embodi- 
ment, since an equivalence relation in a set nalurally 
corresponds to an equivalence relation in a set lattice, 
performing grouping with regard to terminals or users is 
nothing more than shrinking a large set lattice of ele- 
ments to a small quotient lattice. As a result, a quotient 
lattice possessing universality with respect to all quo- 
tient lattices used by a server exists, and any quotient 
lattice becomes a quotient lattice obtained by deciding 
a separate equivalence relation with respect to the quo- 
tient lattice possessing universality. The maximal ele- 
ments decided by the above-mentioned example In 
which there is a limitation upon services provided to a 
specified user group at a terminal connected to a spec- 
ified network correspond to a sublattice of the universal 
quotient lattice. Accordingly, this is equivalent to effects 
obtained in a case where, instead of making the setting 
in the above-mentioned example, use is made of an 
equivalence relation which determines a quotient lattice 
having universality and a set of maximal elements com- 
prising the least upper bounds of the sublattice of the 
quotient lattice. 

Thus, in accordance with this embodiment, objects 
which determine whether authority is given or not can 
be aggregated in arbitrary units. This makes it possible 
to establish access control in highly flexible fashion. 

Furthcrnnore, in accordance with embodiments do- 
scribed below, it will be illustrated that the present in- 
vention is effective also in regard to supporting a distrib- 
uted environment in which user management modes 
are different More specifically, if all pairs of terminal 
identifiers and user identifiers regarding one and the 
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same user are regarded as being one equivalent, and it 
this is perlormed with respect to all users, then one 
equivalence relation will be obtained. The element of the 
quotient lattice obtained by this equivalence relation is 
decided, with regard to individual users, without relation 
to differences in the user management modes. Accord- 
ingly, the set of maximal elements may be decided re- 
garding the quotient lattice as being a universal quotient 
lattice, and a simpler quotient lattice may be decided us- 
ing a separate equivalence relation. Further, in order to 
inhibit illegitimate access from a terminal having poor 
security, it is also possible to adopt an arrangement in 
which the equivalence class regarding one and the 
same user is divided into two parts in conformity with 
the level of security, and weak authority is given to the 
equivalence class having the lower level. 

[Second Embodiment] 

An access control system according to a second 
embodiment of the present invention will now be de- 
scribed. In the second embodiment, elements substan- 
tially the same as those of the first embodiment are des- 
ignated by like reference characters and need not be 
described again. 

The procedure shown in Fig. 2 makes it possible, 
even for one and the same user, to arbitrarily set the 
level of authority in dependence upon the terminal uti- 
lized by this user However, the above-mentioned pro- 
cedure is such that authentication processing regarding 
a user is executed with regard to all service requests, 
and problems in terms of efficiency arise in a case where 
a service request is issued repeatedly Accordingly, in 
the second embodiment, from the standpoint that it will 
suffice to assure security below a so-called transport 
level, authentication processing is executed when the 
connection of a transport level is set. 

Fig. 3 is a flowchart showing an example of 
aprocessing procedure executed when establishing the 
connection of a transport level. 

At steps S301 through S303. a terminal identifier 
and a user identifier are acquired from a connection re- 
quest and the corresponding authority in terms of the 
server terminal is decided. This is similar to the process- 
ing of steps S201 and S203 shown in Fig. 2. It is deter- 
mined at step S304 whether the decided authonty is val- 
id at the sender. If the authority is valid, then the connec- 
tion request is accepted al step S305. Ol course, il the 
authority that has been decided is not valid at the servei, 
then the connection request is not accepted. 

The processing procedure for a service request in 
a case where a connection request is processed in ac- 
cordance with the procedure shown in Fig. 3 is modified 
to exclude the steps from S201 to S203 from the proce- 
dure of Fig. 2 and, in their place, retrieve the authority 
decided at step S303 from the service request. This 
modification of the procedure is easy to perform Spe- 
cifically, it will suffice to record a pair consisting of a con- 



nection identifier and the authority and retrieve the au- 
thority from the connection identifier at step S305 when 
the sen^ice request is processed. U should be noted that 
the pair consisting of the connection identifier and the 
5 authority is destroyed autonomously at the server when 
the connection is broken. 

The processing of steps S303 and S304 is similar 
to the processing of steps 8203 and S204 shown in Fig. 
2. However, rather than using settings relating to sen/- 
10 ices, use is made of settings relating to a connection, 
namely an equivalence relation, a set of maximal ele- 
ments and a unique corresponding relationship from the 
maximal elements to the authority of the server terminal. 
As for the settings relating to a connection and the set- 
is lings relating to a series of services, usually whatever 
satisfies the criteria in the former is selected so as to 
satisfy the criteria in the laner. although in general the 
two may be independent of each other. 

20 [Third Embodiment) 

An access control system according to a third em- 
bodiment of the present invention will now be described. 
In the third embodiment, elements substantially the 
25 same as those of the first embodiment are designated 
by like reference characters and need not be described 
again. 

In a distributed system of a certain type, a certain 
type of sen/er (referred to below as a 'relay server") is 
30 provided Specifically service requests issued by a plu- 
rality of clients simultaneously at client stations are sent 
to a server collectively by the relay server and messages 
sent from a server are distributed to, the clients by the 
relay sen/er. Such a configuration is very effective in a 
35 case where replicas of shared resources are held at the 
client terminals and in a case where messages from the 
server are sent to a series of clients in the manner of a 
broadcast. In a configuration of this kind, it is possible 
to simplify the procedure shown in Fig. 2 or Fig. 3, as 
■io wilt be described below. 

First, processing for confirming authority is per- 
formed between a sender and a relay server in accord- 
ance with the procedure shown in Fig. 2 or Fig. 3. The 
reason tor this is that a service which a server provides 
■*5 directly to a relay server differs from that provided to a 
client; the relay server provides a mechanism tor inter- 
cepting a request from the client. Accordingly, steps 
S203 and S204 shown in Fig 2 are executed based up- 
on setting relating to the service. Step S205. rather than 
50 being a step for processing a service request, is a step 
for processing a service intercept request. It should be 
noted that the service intercept request processing per 
sc is executed in accordance with the procedure from 
step S203 onward in the first embodiment using a user 
55 identifier and terminal identifier of the relay sender ob- 
tained through the procedure described below. 

Fig 4 is a flowchart illustrating an example of a pro- 
cedure, which corresponds to Fig 2. which a relay serv- 
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er executes with respect to each client in a distributed 
system of the kind set forth above 

The flowchart has a first step S401 . at which a user 
identifier is acquired from a service request. Since a re- 
lay sen/er and a client are operating one and the same 
terminal, the processing for acquiring the user identifier 
is capable of being executed securely and efficiently 
without using an authentication sen/er or the like. 

Next, in a case where various settings relating to a 
series of services have been provided by a sender, au- 
thority is decided at step S402 and the validity thereof 
with respect to the service request is discriminated at 
step S403. Steps S402 and S403 are for suppressing 
needless relaying of service requests. Though it is pre- 
ferred that this actually be carried out. it is possible for 
this to be omitted. 

Finally, service-request intercept processing is ex- 
ecuted at step S404. This processing involves transfer- 
ring, to the server, a message obtained by adding the 
user idenlilier acquired at step S401 onto the request 
message of the client. The user identifier added on is 
nothing more than a user identifier necessary in service- 
request intercept processing at the relay server. 

Fig. 5 is a flowchart illustrating an example of a pro- 
cedure, which corresponds to Fig. 3, which a relay scn/- 
er executes with respect to each client. 

Step S501 in Fig. 5 is for acquiring a user identifier 
from a connection request in the same manner as at 
step S401 in Fig. 4 

Next, in a case where various settings relating to a 30 
connection request have been provided by a server, au- 
thority is decided at step S502 and the validity of the 
decided authority is discriminated at step S503. Steps 
8502 and S503 are for suppressing needless relaying 
of connection requests. Though it is preferred that this 35 
actually be carried out, it is possible for this to be omit- 
ted. 

Finally, at step S504. the connection request is ac- 
cepted and the pair consisting of the connection identi- 
fier and user identifier received is recorded. 

Thereafter, the relay server subjects the accepted 
connection to processing for intercepting a service re- 
quest from a client. This intercept processing involves 
transferring, to the server, a message obtained by add- 
ing the user identifier recorded at step 8504 onto the ^5 
request message of the client. It should be noted that 
the pair consisting of the recorded connection identifier 
and user identifier is destroyed autonomously at the re- 
lay server when the connection is broken. 

so 

[Fourth Embodiment] 

An access control system according to a fourth em- 
bodiment of the present invention will now be described. 
In the fourth embodiment, elements substantially the ss 
same as those of the first embodiment are designated 
by like reference characters and need not be descnbed 
again. 



In the third embodiment, authentication of tne relay 
server by a third party such as an authentication server 
may be omitted in a case where the security of the ter- 
minal being operated by the relay server ts assured and 
the relay server is a privileged process in the OS at this 
terminal. For example, in a TCP/IP network environ- 
ment, privilege is necessary in an address setting based 
upon a port number of No. 1 023 or less, depending upon 
the OS of the terminal. 

In accordance with this embodiment, the relay serv- 
er performs the address setting based upon a privileged 
port number, and the server verifies whether this ad- 
dress is one that has been set by the relay server, there- 
by making possible identity inquiry of the relay server 
without relying upon third-party authentication means 
Here simple verification means will suffice, such as 
means tor performing regression transfer of any bit pat- 
tern selected randomly by communication using the 
above-mentioned privileged port. The reason for this is 
that as long as the security ol the terminal is assured, 
an unlawrful privileged process which sends back the bit 
pattern cannot exist. Of course, such means are haz- 
ardous in a WAN environment because the reliability of 
intervening signal paths cannot in general be assured 
but they are practical in many LAN environments used 
in offices or the like. 

[Other Embodiments] 

The present invention can be applied to a system 
constituted by a plurality of devices (e.g , a host com- 
puter, interlace, reader, printer, etc ) or to an apparatus 
comprising a single device {e.g., a copier or facsimile 
machine, etc.). 

Further, it goes without saying that the object of the 
present invention can also be achieved by providing a 
storage medium storing program codes tor performing 
the aforesaid functions of the foregoing embodiments to 
a system or an apparatus, reading the program codes 
with a computer (e.g., a CPU or MPU) of the system or 
apparatus from the storage medium, and then executing 
the program. In this case, the program codes read from 
the storage medium implement the functions according 
to the embodiments, and the storage medium storing 
the program codes constitutes the invention. Further, 
the storage medium, such as a floppy disk, hard disk, 
optical disk, magneto-optical disk. CD-ROI^, CD-R. 
magnetic tape, non-volatile type memory card or ROM 
can be used to provide the program codes. 

Furthernnore. besides the case where the aforesaid 
functions according to the embodiments are implement- 
ed by executing the program codes read by a computer, 
it goes without saying that the present invention covers 
a case where an operating system (OS) or the like work- 
ing on the computer performs a part of or the entire proc- 
ess in accordance with the designation of program 
codes and implements the functions according to the 
embodiment. 
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Furthermore, it goes without saying that the present 
invention further covers a case where, after the program 
codes read from the storage medium are written to a 
(unction extension board inserted into the computer or 
to a memory provided in a function extension unit con- 5 
nected to the computer, a CPU or the like contained in 
the function extension board or lunction extension unit 
performs a part of or the entire process in accordance 
with the designation of program codes and implements 
the function of the above embodiments. 

In a case where the present invention is applied to 
the above-mentioned storage medium program codes 
corresponding to the flowchart described earlier are 
stored on this storage medium. More specifically, mod- 
ules illustrated in the example of the memory map of '5 
Fig. 6 or Fig. 7 are stored on the storage medium. 

Specifically, it will suffice to store program codes ot 
at least modules of "identifier acquisition", "authority de- 
cision" and "validity judgment" on the storage medium 
or to store program codes of least modules ol "identifier 20 
acquisition A", "identifier add-on" and "transmission" for 
relay means and program codes of at least "receptbn'. 
■identifier acquisition B", "authority decision" and "valid- 
ity judgment" for service providing means 

As many apparently widely different embodiments 25 
of the present invention can be made without departing 
from the scope thereof, it is to be understood that the 
invention is not limited to the specific embodiments 
thereof except as defined in the appended claims. 



Claims 

1 . An access control method for controlling access to 

a distributed system in which resources of remote 3S 
sites are shared using a computer network, com- 
prising: 

an acquisition step (S201, S202, S301. S302. 
S401 . S501) of acquiring an identifier ot a ter- •'O 
minal which requests a service and an identifier 
of a user; 

a decision step (S203, S303, S402. S502) ot 
uniquely deciding authority over the service re- 
quest based upon the terminal identifier and us- 
er identifier that have been acquired; and 
judging step (S204, S304. S403, S503) of judg- 
ing, using the authority that has been decided, 
whether or not to accept the service request. 

so 

2. The method according to claim 1 , wherein said ac- 
quisition step acquires the terminal identifier and 
the user identifier for every service request mes- 
sage. 

55 

3. The method according to claim 1 , wherein said ac- 
quisition step acquires the terminal identifier and 
the user identifier when a connection is requested. 



4. An access control method tor controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 

in relay means for intercepting a service re- 
quest and distributing a received message, a 
first acquisition step (S201 . S301 . S40l , S501 ) 
of acquiring an identifier ot a user requesting a 
service and a transmission step (S20l. S301. 
S401, S501) of transmitting, to service provid- 
ing means, a service request message onto 
\Nt\\ch the acquired user identifier has been 
added: and 

in said sen/ice providing means, a receiving 
step (S202. S302) ot receiving a service re- 
quest message, a second acquisition step of 
acquiring as a user identifier the identifier add- 
ed onto the received service request message, 
and acquiring as a terminal identifier an identi- 
fier of the relay means that transmitted this 
service request message, a decision step 
(S203, S303, S402, S502)of uniquely deciding 
authority over the service request based upon 
the terminal identifier and user identifier that 
have been acquired, and a judging step (S204, 
S304. S403. S503) of judging, using the author- 
ity that has been decided, whether or not to ac- 
cept the service request. 

5. The method according to claim 4. wherein said first 
acquisition step acquires the user identifier for eve- 
ry service request message 

6. The method according to claim 4. wherein said first 
acquisition step acquires the user identifier when a 
connection is requested. 

7. The method according to claim 4, wherein said sec- 
ond acquisition step acquires the terminal identifier 
of said relay means for every service-intercept re- 
quest message received from said relay means. 

8. The method according to claim 4. wherein said sec- 
ond acquisition step acquires the terminal identifier 
of said relay means when a connection is requested 
by said relay means. 

9. The method according to claim 4. wherein in a case 
where a service-intercept request is made using 
privileged resources at a terminal at which satd in- 
tercept means operates, said service providing 
means accepts this scrvico-intcrccpt request. 

10. An access control system for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 
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acquisition means for acquiring an identifier of 
a terminal which requests a service and an 
identifier of a user; 

decisbn means for uniquely deciding authority 
over the service request based upon the termt- s 
nal identifier and user identifier that have been 
acquired: and 

judging means for judging, using the authority 
that has been decided, whether or not to accept 
the service request. 

11. An access control system for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 

relay means tor acquiring an identifier of a user 
requesting a sen/ice, intercepting the service 
request by transmitting, to a prescribed ad- 
dress, a sen/ice request message onto which 20 
the acquired user identifier has been added, 
and distributing a received message; and 
service providing means for acquiring as a user 
identifier an identifier added onto the received 
service request message, acquiring as a termt- 25 
na) identifier an identifier of said relay means 
that transmitted this service request message, 
uniquely deciding authority over the service re- 
quest based upon the terminal identifier and us- 
er identifier that have been acquired, and judg- 30 
ing. using the authority that has been decided, 
whether or not to accept the service request. 

12. A computer readable memory storing program 
codes relating to access control of a distributed sys- 3S 
tem in which resources of remote sites are shared 
using a computer network, comprising: 

a program code of an acquisition step of acquir- 
ing an identifier of a terminal which requests a ^0 
service and an identifier of a user; 
a program code of a decision step of uniquely 
deciding authority over the service request 
based upon the terminal identifier and user 
identifier that have been acquired; and -^5 
program code of a judging step of judging, us- 
ing the authority that has been decided, wheth- 
er or not to accept the service request. 

13. A computer readable memory storing program so 
codes relating to access control of a distributed sys- 
tem in which resources of remote sites are shared 
using a computer network, comprising: 

for relay means which intercepts a sen/ice re- ss 
quest and distributes a received message, a 
program code of a first acquisition step of ac- 
quiring an identifier of a user requesting a serv- 



ice and a program code of a transmission step 
of transmitting, to service providing means, a 
service request message onto which the ac- 
quired user identifier has been added: and 
for service providing means, a program code of 
a receiving step of receiving a service request 
message, a program code of a second acqui- 
sition step of acquiring as a user identifier the 
identifier added onto the received service re- 
quest message, and acquiring as a terminal 
identifier an identifier of the relay means that 
transmitted this sen/ice request message, a 
program code of a decision step of uniquely de- 
ciding authority over the service request based 
upon the terminal identifier and user identifier 
that have been acquired, and a program code 
of a judging step of judging, using the authority 
that has been decided, whether or not to accept 
the service request. 
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FIG. 4 
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